1. Field of the Invention
The invention is directed to a franking unit and to a method for generating valid data for franking imprints, of a type suited for use in the domestic area and by users who send only a few items of mail.
2. Description of the prior Art
German PS 40 18 166 discloses a franking module for a personal computer for users with low mail volume. The franking module, which allows both the franking as well as the addressing of envelopes, is arranged in the personal computer""s slot of a drive insert. Such a franking module is surrounded by a secured housing and has the same structure in terms of circuitry as a postage meter machine without a letter transport means. It is self-evident that a franking module de-equipped in this way can be offered more cheaply than a postage meter machine.
By using the franking module, the debiting of the franking valve and the printing of the franking stamp image cannot be externally manipulated. The address data are read from a memory administered by the personal computer and are supplied to the franking module via the internal information network. It is still possible, however, that faulty address data can be printed which will cause the mail carrier to have difficulty delivering the item to the recipient, or the item will not be able to be delivered at all. Given a digital printing process, it is difficult to determine whether the printed franking stamp image is merely an unpaid for copy of an earlier imprint which was combined with a desired, different address. Specific, red fluorescent inks that are difficult to copy have therefore been prescribed by postal authorities. As a result of the progress made in the meantime in color copiers and color printers, such a measure can no longer be considered a serious obstacle to producing counterfeit, unpaid imprints.
A printer with which letters can be printed and with which addresses can also be printed on envelopes also usually is connected to a personal computer. In principle, the envelope also can be franked with such a printing, however, it is difficult to prevent tampering given such open systems. A tamperer could attempt to supply data into the system via the unsecured connecting lines with fraudulent intent, the data appearing to come from an authorized source.
United States Postal Service (USPS) published a catalogue in 1996 identifying requirements for the design of future secured franking systems (Information Based Indicia program, IBIP). It is urged therein that certain data be cryptographically encoded and be printed on the letter to be franked in the form of a digital signature with reference to which the postal authority can check the legitimacy of franking imprints. According to estimates, the USPS suffers an annual loss of approximately $200 million due to fraud. These requirements have been differentiated according to type of postage meter machine. Conventional postage meter machines, which usually only print a franking stamp in red, are referred to as xe2x80x9cclosed systemsxe2x80x9d and, differing from those referred to as xe2x80x9copen systemsxe2x80x9d (PC franking machines), need not co-incorporate the corresponding letter address into the encryption. A security module with advanced crypto technology and a secured housing in which data from a data center can be written continues to be prescribed for open systems.
U.S. Pat. No. 5,625,839 discloses sending update information to the postage meter machine as a data packet. A CRC check sum is used to check that the data transmission was free of error, but this conveys nothing about the correctness of the transmitted data content itself. A problem could arise because of the unprotected connecting line if a tampererxe2x80x94with fraudulent intentxe2x80x94attempts to supply data into the postage meter machine as if the data came from the data center.
German OS 38 40 041 therefore discloses an arrangement in which a postage meter machine is connected to a central computer via a TEMEX dedicated line that is always in operation. The postal customer enters the desired franking value into the postage meter machine. This is transmitted to the central computer, which is connected to an endorsement computer at which the customer has a postal giro account. After checking for sufficient funds, the endorsement computer undertakes the debiting and the central computer enables the franking function. The postage meter machine itself also has additional postal memories that can be interrogated on the basis of the data connection and offer an additional security against data loss in case of a computer failure. The central computer triggers an alarm if this dedicated line is tapped in unauthorized fashion or is interrupted. Utilizing such a specific, secured line, however is complicated and is not possible everywhere.
European Application 373 971 discloses a communication system wherein communication of address data from a local data bank to a central data bank in a data center takes place. An updating of the stored address data in the one central data bank of the data center on the basis of the communicated address data and a modification of the address data of the local data banks present in the system on the basis of the updated data of the data center is also undertaken.
Equivalency of the data in every local data bank corresponding to the data in a central data bank is thus in fact achieved. Given an unprotected connecting line, however, having an incorrect address stored in the central data bank of the data center and having it transmitted from their to the respective local data bank of the other users cannot be prevented.
European Application 782 296 discloses a public key method for fetching a certificate from an address book memory via an unprotected communication connection, but this can only assure that the communicated message is authentic. A counterfeit message whose certificate is real, however, could just as easily be transmitted.
In addition to the correctness and veracity of a message, the correct debiting is also a concern in franking systems. A postage box in a terminal (U.S. Pat. No. 5,233,657) or a secured module (U.S. Pat. No. 5,625,694) in which the accounting data are stored has therefore already been proposed.
The terminal according to the solution disclosed in U.S. Pat. No. 5,233,657 is used as a telefax and franking device, whereby critical franking image data are requested from a data center and are then printed out as a franking imprint completed with other image data that are stored in the terminal. The communication between the terminal and the data center is secured with a cryptographic method, for example according to the known RSA method. The central processing unit of the terminal generates a security code from the data identifying the terminal and this is printed together with the postage value. A disadvantage of this approach is the tedious calculating work that the central processing unit must implement, first when image data are decrypted according to the RSA method and, second, when the security code is generated.
In U.S. Pat. No. 5,625,694, a computer is equipped with a secured module. Given a request of a digital signature to such a secured module, the request ensuing dependent on a change with respect to the input postage value and a recipient address, the secured module then generates, first, a corresponding digital signature and communicates this to the microprocessor of the computer and, second, also implements the debiting. The microprocessor of the computer then generates a print image corresponding to the postage value and the recipient address as well as the communicated signature. A signature is not requested from the secured module only if neither the postage value nor the address is changed. A copy of the same imprint is thus not co-debited in the secured module. The authenticity check for every individual piece of mail is left to the mail carrier. Even the slightest differences in the address have an effect on the signature, however, it is not certain that the user will enter a valid recipient address. A piece of mail provided with an invalid recipient address may possibly not be able to be delivered, even though it was franked with valid postage and the postage was properly debited in the secured module, because the address cannot be subsequently corrected. The necessity of arranging a secured module in the terminal equipment is a complication in all of the aforementioned solutions.
An object of the present invention is to provide a low-end franking unit with a local data bank, wherein valid addresses are stored in the local data bank of the franking unit. It is a further object to provide a method for generating valid data for franking imprints should be recited, so that valid postage values with valid addresses can be printed onto the piece of mail together with a signatures as a result.
The above object is achieved in accordance with the principles of the present invention in a franking unit having a first computer and a printer connected thereto, the first computer containing a memory with a local data bank for postal recipient addresses. The franking unit, and specifically the first computer, is in communication via a communication path With a second computer at a data center remote from the franking unit, this second computer having access to a central data bank. The first computer is programmed to access a stored, specific postal recipient address or to intermediately store a newly entered, specific postal recipient address, and to communicate this postal recipient address in the context of request data to the data center. The request data include identification data of the mail sender (i.e. the party operating the franking unit) plus postal shipping data including the specific postal recipient address. The second computer at the data center checks the correctness of the postal recipient address in the request data on the basis of an address file stored in the central data bank. If and only if the postal recipient address transmitted in the request data is correct, the second computer at the data center transmits a valid postage value and a security signature to the first computer at the franking unit. If the postal recipient address transmitted by the first computer in the request data is not correct and if it is not possible for the second computer to correct the incorrect postal recipient address, the second computer transmits an error message, and does not transmit a postage value or a security signature. If and when the postage value and security signature are received by the first computer, the first computer operates the franking unit to print an authentic franking imprint, incorporating the postage value and the security signature, onto a piece of mail.
The above object is also achieved in accordance with the invention in a method for generating valid data for a franking imprint, wherein a franking unit formulates request data and transmits the request data to a data center, remote from the franking unit via a communication path, and requested data are transmitted back to the franking unit and are stored therein. The formulation and communication of the request data are undertaken by a first computer, at the franking unit, and the request data include a security signature from a second computer located at the data center. The request data include at least one information group with postage recipient address data and identification data relating to the franking unit which transmitted the request data. At the second computer, the postal recipient address data contained in the request data are compared to address data in a central data bank, to which the second computer has access. Only upon verification that the postal recipient address is correct does the second computer then generate a security signature, using the verified data and an asymmetrical crypto-algorithm and a secret private key. The verified data and the security signature are transmitted from the second computer back to the first computer. At the first computer, the authenticity of the data sent from the second computer can be checked on the basis of the security signature, using a public key. Assuming the data transmitted from the second computer are found to be authentic, the data are then stored in a local data bank at the first computer.
The necessity of arranging a secured module in the terminal equipment is eliminated in the inventive apparatus and method. The necessity or reloading a credit into the terminal equipment and designing the communication correspondingly secure against manipulation of the credit thus is also eliminated. Inventively, a digital signature is generated in a data center of a postage meter machine manufacturer, or of a mail carrier. The communication with the data center is relatively short since the communicated cleartext data do not contain image data nor are all data encrypted; instead, only a relatively short signature is transmitted back in addition to the cleartext data. The service of the data center with respect to an incorrectly input mail recipient address is also advantageous. Misfrankings can thus be avoided. In one version, a calculation of the postage according to the currently valid fee schedule can be undertaken by the data center as an additional service. The fact that secret keys and other security-relevant data are only stored in the data center and cannot be read out from the outside is also beneficial to the dependability against tampering. Imprinting the communicated data onto the piece of mail can also ensue at an arbitrarily later point in time. There are no limitations with respect to the external image generation from the communicated data. Different printing methods can thus be utilized. The different use conditions and demands of the individual mail carriers can be met best in this way.